Authentication

Authentication means proving that a user is who he claims to be – and then making sure he accesses only what he's allowed to. Mandy Andress discusses the types of authentication available to your organization and tells where they work best.

This article is excerpted from her book Surviving Security: How to Integrate People, Process, and Technology.

Authentication, the process of proving that someone is who he claims
to be, is one of the most important components of your security infrastructure.
Users need information, but you want to make sure that you know who is accessing
that information. Only specific individuals should see your company's payroll
data or product source code, for example.

Although authentication is important, it does not exist in a vacuum. To be
effective, authentication works together with identification and authorization.
Identification, such as a username, determines whether a user is known
to the system; authorization determines whether the user is allowed to
access the requested resource or data. Authorization can take many forms, but
Windows NT file permissions are the best example of authorization.

NOTE

Identification, authentication, and authorization are often collectively
referred to as access controls.

Identification, authentication, and authorization work in tandem to answer
four very important questions:

Who are you?

Do you belong here?

What rights do you have?

How do I know that you are who you say you are?

These questions must be answered before a user can access any protected resource,
whether it be a Web server, a workstation, or a router.

Authentication can function at all levels of your security infrastructure.
You are probably most familiar with authentication to a Network Operating System
(NOS), such as a Windows NT domain. Every time you fire up your computer at
work, you have to log on to the NT domain before you can access any resources.

You can require users to authenticate to almost anything, including your firewall
to gain access to the Internet, your mail server to check your email, your intranet
Web server to gain access to the corporate intranet, the database to access
customer data, and numerous other applications that enable you to go about your
day-to-day activities.

Although authentication provides you with valuable information about who is
accessing the application and when, users get very tired of dealing with so
many accounts. Single sign-on is one technology that aims to relieve users of
this problem.

Multifactor Authentication

Before getting to specific technologies, I want to discuss the three major
types of authentication commonly used today (listed from weakest to strongest).
These are authentication based on:

Something you know—Personal identification number (PIN),
password.

Something you have—SecurID, smart card, iButton.

Something you are—That is, some measurable physical characteristic
of you, such as fingerprints or speech. This authentication technique is called
biometrics.

Smart cards, SecurID, and iButtons are great for authentication, but what
happens if someone steals your device? If all that is required for
authentication is the presence of a token device, your authentication is not
that much stronger than a regular old password.

Individually, any one of these approaches has its limitations.
"Something you have" can be stolen, whereas "something you
know" can be guessed, shared, or forgotten. "Something you are"
is generally the strongest approach, but it can be costly to implement.

To make authentication stronger, you can combine methods, often referred to
as multifactor or strong authentication. The most common type is
two-factor authentication, such as using a PIN code as well as a SecurID token
to log on to your network. The example of two-factor authentication with which
you are probably most familiar is your ATM card—you insert your card
(something you have) into the ATM machine and enter your PIN (something you
know) to access your account number and perform transactions.

You also can use three-factor authentication. For example, if you use
biometrics to authenticate users to the network, you can store the fingerprint
information on an iButton that is accessible only with the user's PIN.